GDPR and how RhythmOne Is Leading The Way

Trust & Transparency

Trust & Transparency

At RhythmOne we believe the GDPR will help our industry continue to foster greater trust in digital advertising, supported by a transparent, controlled marketplace that benefits businesses and consumers alike.



RhythmOne is well versed in complying with EU standards and is prepared to support our clients and partners in their GDPR compliance journey.

User Experience

User Experience

Privacy and security are paramount concerns in the digital age. The industry’s GDPR compliance efforts are in ultimate service to a safe user experience that engenders greater confidence and trust in businesses.

What Is GDPR?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to provide consistency for data privacy laws across Europe, to protect and empower EU citizens and reshape the way organizations across the region approach personal data and privacy. GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will be in force on May 25, 2018.

At RhythmOne, our view is that privacy and security are of the utmost importance to building a respectful, brand-safe and transparent digital advertising marketplace for publishers, brands, agencies and consumers. We believe the GDPR will help our industry continue to foster greater trust in digital advertising, supported by a more transparent and controlled marketplace for the benefit of businesses and consumers. We are accustomed to complying with the stricter EU standards and are prepared to support our clients and partners through their GDPR compliance journey. We will continue to provide updates regularly on the issues and best practices around effective GDPR compliance.

Our Commitment to GDPR Compliance

Since our founding in 2004, RhythmOne has a proven track record of ensuring our technology incorporates data privacy and security and our standard terms comply with all applicable laws. As a global company with major offices in multiple EU countries, we are accustomed to adapting to specific country requirements around the world.

GDPR is no different. We have built a strong foundation and legacy of abiding by industry best practices and regulations, and applying the highest levels of security and data privacy across our portfolio of products, technologies and services.

RhythmOne’s products and services are currently undergoing a thorough GDPR review, performed by a leading GDPR law firm. This team is auditing our products, practices and data as we develop plans to ensure compliance. Our GDPR-related efforts have been on-going since 2017 and we anticipate completing compliance tasks ahead of the deadline.

We’re here to help our clients and partners gain a better understanding of how GDPR will affect all of us, and further the conversation of the overall benefits of the GDPR to the digital advertising marketplace.

Industry Leadership:
Investing in Standards and Certifications

RhythmOne has an extensive number of certifications already in place that are reviewed annually by governing and standards bodies, including:

  • Network Advertising Initiative (NAI) Codes of Conduct
  • Digital Advertising Alliance (DAA) Self-Regulatory Program for Online Behavioral Advertising
  • Digital Advertising Alliance of Canada (DAAC)’s Self-Regulatory Principles for Online Behavioural Advertising
  • European Interactive Digital Advertising Alliance (EDAA) Principles
  • Internet Advertising Bureau (IAB) Europe’s Self-Regulatory Principles for Online Behavioral Advertising
  • JICWEBS DTSG Good Practice Principles
  • Trustworthy Accountability Group (TAG)
GDPR Partners
iab europe

Support For IAB Europe’s GDPR Consent Solution

RhythmOne expects to support the IAB Europe’s GDPR Transparency & Consent Framework. Read more about the standard and how it is helping all parties in the digital advertising ecosystem ensure that they comply with the EU’s General Data Protection Regulation when processing personal data or accessing non-personal or personal data on user devices.

GDPR and Our technology stack

It’s important for our clients and our company to clarify the different requirements at various points in the ecosystem. As a full-stack technology provider, we act in a number of different capacities, including:

  • Website and mobile app owners (owned and operated web properties such as All Media)
  • SSP (RhythmOne for Publishers)
  • Exchange/Ad Server (RhythmOne Exchange)
  • DSP and DMP (for data targeting and campaign management)
  • Fraud Filter (RhythmGuard)
  • Analytics Providers (Social Sharing and


One of the key considerations in the digital advertising ecosystem that has resulted from the GDPR is the clarification of roles: which organizations are data processors versus data controllers. These designations are critical to understanding the various ecosystems’ roles and responsibilities, before starting to understand GDPR requirements, or starting to implement GDPR standards. According To Article 4 of the EU GDPR, the two roles are described as:



“The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Note that it is possible to have joint data controllers in certain circumstances.



“A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

As a result of our GDPR audit (completed as of May 25th, 2018), we have determined that RhythmOne is a ‘Controller’ of personal data, and as such will be adhering to applicable requirements under the GDPR.

Our Plan For GDPR
data collection

The information RhythmOne generally collects falls into two primary categories: browser-based data and mobile app-based data. Browser-based data includes cookies which are used in connection with our technology to deliver targeted ads and improve the user experience, ad serving and web navigation information which may include the collection of browser-based information regarding how consumers use the platform and how they interact with it, information from our technology that facilitates the sharing of web content, and Engage in-game advertising technology. It’s important to understand what personal data means under GDPR:

“personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

There are six different legal bases for data collection and processing OF PERSONAL DATA IN/FROM Europe:

  1. Unambiguous consent (e.g., a check box);
  2. Contractual obligation – consent is necessary in order to enter into the contract;
  3. Data processing is part of a legal obligation;
  4. Data processing is necessary to product the vital interest of the data subject or another person;
  5. Data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  6. Data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (exceptions apply)

For businesses in the marketing or digital marketing industry or for those who collect data for the purposes of marketing, the three types of consent that typically apply to us are 1, 2, and 6. As part of our compliance efforts, we are working to determine the appropriate legal basis for the collection and processing of personal data from the EU for each of our products and components of our technology stack. For specific products we offer to advertisers and publishers, if it is determined that we will need to obtain unambiguous consent to gather data through this tool, then we will be working with our partners to implement a solution to address this need.

Implications For Product Development

RhythmOne will also adjust its product development process to comply with GDPR regulations. This means that we will adopt the GDPR’s ‘Privacy by Design’ approach, ensuring that any product we develop considers these new privacy standards and takes active steps to confirm that the highest levels of security and privacy protection are in place – both in terms of data collection and storage as well as physical security.

Privacy Policy

RhythmOne regularly reviews and documents our privacy policy as it relates to our products and services. The latest policy is publicly available and can be found below: